CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.

[samba.git] / source3 / smbd / trans2.c

diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index b6109b2d07a9717729b81fe89153b418c8850463..103e601072e19e96a16437812f01e2dbbdd1c1d9 100644 (file)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -53,6 +53,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
                                files_struct *fsp,
                                const SMB_STRUCT_STAT *psbuf);
 
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+                       const files_struct *fsp,
+                       const char *name)
+{
+       SMB_STRUCT_STAT sbuf;
+       const SMB_STRUCT_STAT *pst = NULL;
+
+       if (fsp) {
+               pst = &fsp->fsp_name->st;
+       } else {
+               int ret = vfs_stat_smb_basename(conn,
+                               name,
+                               &sbuf);
+               if (ret == -1) {
+                       return map_nt_error_from_unix(errno);
+               }
+               pst = &sbuf;
+       }
+       if (S_ISLNK(pst->st_ex_mode)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+       return NT_STATUS_OK;
+}
+
 /********************************************************************
  The canonical "check access" based on object handle or path function.
 ********************************************************************/
@@ -208,12 +236,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
        char **names, **tmp;
        size_t num_names;
        ssize_t sizeret = -1;
+       NTSTATUS status;
+
+       if (pnames) {
+               *pnames = NULL;
+       }
+       *pnum_names = 0;
 
        if (!lp_ea_support(SNUM(conn))) {
-               if (pnames) {
-                       *pnames = NULL;
-               }
-               *pnum_names = 0;
+               return NT_STATUS_OK;
+       }
+
+       status = refuse_symlink(conn, fsp, fname);
+       if (!NT_STATUS_IS_OK(status)) {
+               /*
+                * Just return no EA's on a symlink.
+                */
                return NT_STATUS_OK;
        }
 
@@ -263,10 +301,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
 
        if (sizeret == 0) {
                TALLOC_FREE(names);
-               if (pnames) {
-                       *pnames = NULL;
-               }
-               *pnum_names = 0;
                return NT_STATUS_OK;
        }
 
@@ -624,6 +658,11 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
                return NT_STATUS_EAS_NOT_SUPPORTED;
        }
 
+       status = refuse_symlink(conn, fsp, smb_fname->base_name);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        status = check_access(conn, fsp, smb_fname, FILE_WRITE_EA);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
@@ -5030,6 +5069,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
                                uint16 num_file_acls = 0;
                                uint16 num_def_acls = 0;
 
+                               status = refuse_symlink(conn,
+                                               fsp,
+                                               smb_fname->base_name);
+                               if (!NT_STATUS_IS_OK(status)) {
+                                       return status;
+                               }
+
                                if (fsp && fsp->fh->fd != -1) {
                                        file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp,
                                                talloc_tos());
@@ -6539,6 +6585,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
        uint16 num_def_acls;
        bool valid_file_acls = True;
        bool valid_def_acls = True;
+       NTSTATUS status;
 
        if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
                return NT_STATUS_INVALID_PARAMETER;
@@ -6566,6 +6613,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       status = refuse_symlink(conn, fsp, smb_fname->base_name);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
                smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
                (unsigned int)num_file_acls,